Don't crash if the header mysteriously gets too big. (Thanks to nelhage@mit.edu for noticing)

author: Karl Ramm <kcr@1ts.org> 2010-08-22 00:56:14 +0000
committer: Karl Ramm <kcr@1ts.org> 2010-08-22 00:56:14 +0000
commit: 45a5927fc4d7e6cefdf6cbd46e186931ba4bf42b (patch)
tree: 6cfa9ff6a9fc36c0772e3cb3a5f0e46dd1eb4616 /server/realm.c
parent: b110bf96d4687ccc35c717dbc750bbb6fa420ee0 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/server/realm.c b/server/realm.c
index 69c98eb..5de5d7e 100644
--- a/server/realm.c
+++ b/server/realm.c
@@ -1121,14 +1121,18 @@ realm_sendit_auth(ZNotice_t *notice,
 	origoffset = 0;
 	origlen = notice->z_message_len;
 
-	if (notice->z_multinotice && strcmp(notice->z_multinotice, ""))
+	if (notice->z_multinotice && strcmp(notice->z_multinotice, "")) {
 	    if (sscanf(notice->z_multinotice, "%d/%d", &origoffset,
 		       &origlen) != 2) {
 		syslog(LOG_WARNING, "rlm_sendit_auth frag: parse failed");
 		return ZERR_BADFIELD;
 	    }
+	}
+
+	fragsize = Z_MAXPKTLEN - hdrlen - Z_FRAGFUDGE;
 
-	fragsize = Z_MAXPKTLEN-hdrlen-Z_FRAGFUDGE;
+	if (fragsize < 0)
+	    return ZERR_HEADERLEN;
 
 	while (offset < notice->z_message_len || !notice->z_message_len) {
 	    (void) sprintf(multi, "%d/%d", offset+origoffset, origlen);
author	Karl Ramm <kcr@1ts.org>	2010-08-22 00:56:14 +0000
committer	Karl Ramm <kcr@1ts.org>	2010-08-22 00:56:14 +0000
commit	45a5927fc4d7e6cefdf6cbd46e186931ba4bf42b (patch)
tree	6cfa9ff6a9fc36c0772e3cb3a5f0e46dd1eb4616 /server/realm.c
parent	b110bf96d4687ccc35c717dbc750bbb6fa420ee0 (diff)